[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Account Lockout Audit

Posted on 2011-10-10
Medium Priority
Last Modified: 2012-05-12
I have a user that keep locking out in active directory
i used with the microsoft tools but no helpuel.
i configured audit policy via gpo in the domain controller level policy as follow:

Audit account logon events:  Success,Failure
Audit Account manament       Success,Failure
Audit Directory Service Access  Sucess
Audit Logon events               Success,Failure
Audit object Access                Success,Failure
Audit policy change                 Sucess
Audit Previlege use                 No auditing
Audit Process Tracking            No auditing
Audit System Events                Sucess

But again
When im trying to lock my username i cant find the audit that says account locked out

i have 3 domain controllers.



Question by:Senx
  • 3
  • 2
LVL 81

Expert Comment

ID: 36942424
you need to get the altools.exe http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
You should see a security event on combination of DC's that locks the user out because of credential mismatch.

I.e. the user changed password, but is resuming a remote session that continuously runs in a terminal server.
The user has shared resources mapped with the old password control keymgr.dll.
The tool will let you locate the source from which this user's credentials are being submitted.

Author Comment

ID: 36947762
thanks fot your answer

i figure out with altools what machine locked me out

but i checked for sevices and schedualed tasks if there anything that ran on my account but non of them used my account

there is any ideas what can lock my account.?
LVL 81

Expert Comment

ID: 36948402
Failed attempts to access resources using outdated credentials is the only thing.
When you say,  "i figure out with altools what machine locked me out" do you mean you found the system from which the failed requests were being made or are you talking about the DC that actually locked the account?
The DC is not the cause for the lockout it is a consequence of failed authentication attempts that were received by it.
You need to determine the system from which your username with the wrong password were being used and why.  Is that system a terminal server? Does your last password change correspond to when your account began to be locked out?  Do you have a laptop that is always on (hibernate) that you take with you and then connect into the LAN where you still use your old password to unlock/login into the laptop? If so, this is the source of your issue.

Author Comment

ID: 36978331
Thank you for your answer

yes i mean i found the system from which the failed requests being made .

the system is not a terminal server
xp sp3
not a laptop
LVL 81

Accepted Solution

arnold earned 1000 total points
ID: 36979151
Part of the ALTools there is an XP subfolder that deals with setting up/adding a DLL and registering in order to determine the cause/source on the XP for the many requests

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question